Suits The C-Suite

CHANGE IS COMING faster than ever. As technology and the world economy changes at an accelerated pace, so too does the level of emerging risks that come with it due to regulatory requirements and globalization, among others. These changes are having a significant impact on how Internal audit (IA) functions in an organization.

Management relies on IA to provide assurance on the effectiveness of internal controls and company processes, while also providing support to a diverse array of risk management and business process improvements. Because of how recent developments in technology are affecting the way business is operationalized, stakeholders also expect IA to cope with the volatility. It is further expected to elevate its profile to have the ability to identify, anticipate, assess and address emerging risks coming out of business changes; transform the IA function to provide improved strategic value to stakeholders; and provide cost efficiencies to the business.

Current trends in technology and emerging risks are significantly challenging how IA strategy and approach are designed and executed.

Traditionally, when audit is performed, auditors focus on what could go wrong. They identify and test controls that address what could go wrong by extracting and selecting a representative sample out of the population. Given that the process of sample selection is random, the sample might not be properly representative and the resulting audit may miss critical areas and fail to identify all relevant issues.

Using analytics, IA can examine an entire population by mining past data to better understand what has already happened, anticipate future events, and help determine the effectiveness of future decisions and actions. It allows analysis of the full population versus sample data in order to identify anomalies, see patterns and note any trends that may point to significant control or process deficiencies.

IA’s adoption of analytics does not only mean acquisition of tools and techniques but also requires a change of mindset. IA needs to know what it is looking for to identify the appropriate data to pull, and the analytics program to develop. This is only the first step. The ability to institutionalize the process to make it repeatable and scalable across the organization is a journey that will require the right resources, project management and governance.

In past columns, we have written about how robotic process automation (RPA) is working to streamline operations, enhance productivity and reduce mistakes in organizations, as well as how companies can leverage RPA to upskill existing talent to create combined human and robotic work forces. The same holds true for IA, where RPA can handle the execution of repetitive and controllable processes thereby freeing up human talent for more critical, value-added, judgment-based work. Robotics can also be integrated with analytics, thereby leveraging large volumes of data to perform cognitive tasks.

An example is a global engineering company that uses robotics during the IA process to perform analytics on bank transactions in identifying any mismatched amounts, dates, currencies or bank account numbers. Similarly, another use of RPA can be to format and upload data into an analytics tool, allowing the system to ensure 100% coverage of data, with faster processing time and reduced chance of human error.

Social media are redefining the way we develop our networks and even manage businesses. A majority of online adults use social networking sites to do business or share opinions, views, photos and media. This disruption presents new challenges and opportunities to companies, which result in the rise of significant risks, such as employees inadvertently leaking sensitive company information, criminal hackers and multiple platforms creating more access to viruses, malware and phishing. IA’s business insight and control expertise play an important role in providing awareness on how social media can be better managed across the organization and identifying and evaluating threats brought by social media to the organization’s information security protocols.

Cloud computing has become a force in the marketplace and has become common as companies seek cost reductions and streamline operations. When systems are moved to the cloud and managed by third parties, due diligence related to controls are often missed out. Use of cloud computing presents certain risks that need to be considered when IA designs its audit procedures. Examples include infrastructure and architectural risks (ability of providers to achieve agreed performance), regulatory and compliance risks (transparency in security controls), contractual risks and business continuity risks among others. IA’s role is vital in evaluating whether proper governance is in place, adequate information security policies and practices exist, and clear metrics are documented to assess a service provider’s performance.

The increased reliance on information emerging from technology-driven channels also increases technology-based risks. Greater ease of access to information is now the new normal, and companies need to find the balance between enabling technology and protecting assets from malicious individuals. As discussed in previous articles in this column, cybersecurity risks are a challenge for every company. Companies, regardless of size, are often targeted for their intellectual property. Given the heightened cybersecurity threats environment, companies need to upgrade existing controls in anticipation of worst case scenarios. In this area, IA will be significant in evaluating the company’s information security programs, the adequacy of the company’s incident-handling process in identifying potential vulnerabilities and threats, and the management of access to critical information and privacy.

IA is only one of many business functions now being transformed by data, technology and innovation. Automation frees up resources so that they may be put to better use. While having in-house IA knowledge of technology generally makes operational sense, applying strategic partnerships to areas such as data analytics and robotics may yield better results.

IA leaders can continue to stay relevant to stakeholders and drive effectiveness and efficiencies for the company by rethinking audit delivery through investment in digital enablers such as RPA and optimizing the use of analytics in execution. The rise of new audit topics and the application of new tools require reinventing the future of talent as well. The required skills of an IA professional will now shift from pure audit expertise to those that address industry insight, technology advancement, and cultural adaptation. IA leaders should align these skillsets when recruiting new talent. While some skills may be developed internally, companies can also consider tapping an external flexible work force using co-source consultants or external subject matter resources so that internal talents can be refocused to higher impact audits.

IA must balance its priorities and resources to help organizations address the risks companies face today, anticipate emerging risks and stay in or ahead of the game. IA needs to adapt to today’s rapidly changing business environment and leverage on the newest developments in order to stay ahead of the curve. To give an old saying a new twist — necessity, after all, is the mother of reinvention.

This article is for general information only and is not a substitute for professional advice where the facts and circumstances warrant. The views and opinion expressed above are those of the authors and do not necessarily represent the views of SGV & Co.

Christiane Joymiel C. Say-Mendoza is an Advisory Partner of SGV & Co.